PSWN. Land Mobile Radio System Security Planning Template. Final. Public Safety Wireless Network
|
|
- Cameron Manning
- 8 years ago
- Views:
Transcription
1 PSWN Public Safety Wireless Network Land Mobile Radio System Security Planning Template Final
2 FOREWORD This document, presented by the Public Safety Wireless Network (PSWN) program, provides a template to guide the development of security plans for public safety wireless systems. Local, state, and federal public safety agencies may apply this template to develop security plans for their land mobile radio (LMR) systems. Security plans provide public safety agencies with the information necessary to minimize security risks associated with their radio systems. To provide comments regarding the information in this document or to obtain additional information regarding the purpose and goals of the PSWN, please contact the PSWN Program Management Office (PMO) at PSWN or see the PSWN Web page at LMR Security Planning Template i
3 TABLE OF CONTENTS Page 1. Introduction Purpose Scope Document Organization How To Use the Template Terminology System Identification System Name/Acronym Responsible Organization Designated Point of Contact System Operator System Status System Description System Interconnection/Information Sharing System Environment Sensitivity of Information Applicable Laws or Regulations Affecting the System Information Sensitivity General Description of Sensitivity Protection Needs System Security Control Measures Status of Security Activities Material Weaknesses Security Control Measures A. Management/Administrative Controls Assignment of Security Responsibility Risk Assessment and Management Security Documentation Security Awareness and Training Personnel Screening Continuity of Support Management of Contractors B. Computer/Network Management Controls User Identification and Authentication Access Controls Audit Trails Virus Protection Dial-in Access LMR Security Planning Template ii
4 C. Physical Controls Facility Protection Computer Room(s) Dispatch Center(s) Remote Tower Sites Telecommunications Closet Environmental Protection D. Communications Controls Transmission Security Encryption Key Management for Encryption Trunked Key Management Firewall/Router E. Radio Controls Radio Authentication Talk Group Assignment Lost and Stolen Radio Controls Radio Maintenance F. MDTs/MCTs Controls User Identification and Authentication Access Controls Audit Trails MDTs/MCTs Maintenance Additional Needs/Comments Review and Approval Signatures APPENDIX A REFERENCES... A-1 APPENDIX B LIST OF ACRONYMS... B-1 LMR Security Planning Template iii
5 1. INTRODUCTION Today s rapidly changing technical environment requires public safety agencies to adopt a minimum set of security controls to protect their information technology (IT) resources. Executive Order 13010, National Performance Review Action Item A06, the final report from the President s Commission on Critical Infrastructure Protection (PCCIP), and Presidential Decision Directives (PDD) 62 and 63 require that the emergency services infrastructure be protected from physical and cyber threats. Additionally, PDD 67 requires that critical federal agencies' infrastructures provide continuity of operations in emergency situations. The Public Safety Wireless Network (PSWN) Program Management Office (PMO) is supporting this ongoing requirement by encouraging public safety agencies to prepare for major technology changes that could dramatically affect the security posture of their communications systems. To ensure secure implementation of a new radio system or secure configuration of an existing radio system, a security plan is necessary as part of the system development life cycle process. This security planning template is intended for use by local, state, and federal public safety agencies in developing security plans for their land mobile radio (LMR) communications systems. The PSWN program recommends that radio managers use this template to develop their security plans and to ensure necessary management support to improve security of their radio systems. 1.1 Purpose The objective of system security planning is to improve protection of IT resources. All radio communication systems have some level of sensitivity and require protection as part of good system management. It is a good business practice to document the protection of a radio system in a system security plan. This template provides a guideline for public safety radio system managers to follow when developing their own security plans that document management, technical, and operational controls for radio systems. The security plan shall be viewed as documentation of the structured process for planning adequate, cost-effective security protection of a radio system. The security plan will allow radio managers to accomplish the following objectives: Identify the security requirements of the radio system Identify the radio system s overall security posture Identify the security controls implemented to protect the radio system from its risks and vulnerabilities Identify additional security controls that will improve the protection of the radio system resources LMR Security Planning Template 1
6 1.2 Scope Provide public safety agency management with the information necessary to secure the radio system. This LMR System Security Planning Template follows guidance documented in Office of Management and Budget (OMB) Bulletin 90-18, Guidance for Preparation and Submission of Security Plans for Federal Computer Systems Containing Sensitive Information, dated July 9, This template includes brief instructions on how to complete each section and its subsections. Additionally, it provides examples of security controls that may be incorporated into radio systems. Security plans are living documents that require periodic reviews, modifications, and milestone or completion dates for planned controls. Procedures shall be in place outlining who reviews the plans and follows up on planned controls. In addition, procedures are needed describing how security plans will be used in the authorization process. This document is a comprehensive template that includes detailed security features to cover any radio applications and systems. This template can readily be tailored to any public safety agency s environment. Additional information may be included in the basic plan, and the structure and the format can be organized according to agency needs as long as the major sections described in this document are adequately covered. The level of detail included within the plan shall be consistent with the criticality and value of the radio system to the organization s mission (i.e., a more detailed plan is required for systems critical to the organization s mission). 1.3 Document Organization This security planning template is organized as follows: Section I provides an introduction to the report, including the purpose, scope, how to use the template, and terminology. Section II outlines the system analysis process in terms of system components, functions, and connectivity. Section III provides guidance on determining the radio system's sensitivity and the criticality of information transmitted through the radio system components. Section IV explains security controls that are to be considered and incorporated into the radio system. Section V provides radio managers with an opportunity to include additional comments about the security status of their radio systems. Section VI provides an approval or disapproval form for the security plan. LMR Security Planning Template 2
7 1.4 How To Use The Template The template is organized and presented as a technical document for use by radio managers responsible for the security of radio systems to enable them to develop their own radio system security plans. When completed, a security plan will document technical information about the system, its security requirements, and the controls implemented to provide protection against potential risks and vulnerabilities. This template provides brief guidance on developing the major sections of a security plan. The heart of the template is Sections 2-4. Section 2 of the template presents information related to a radio system that defines services that the radio system provides, system components, and system interfaces. Based on the system description, radio managers can identify potential vulnerabilities associated with their systems. Section 3 of the template provides a list of regulations and directives that provide security policies and procedures for protecting radio systems. To protect sensitive and critical information from unauthorized disclosure, modification or destruction, radio managers must understand the sensitivity and criticality level of the information transmitted among the radio system components. Section 3 provides examples of considerations that radio managers can review to determine the degree of sensitivity and criticality of information and protection needs to mitigate potential vulnerabilities and risks identified in Section 2. Section 4 of the template provides a comprehensive list of security measures that may mitigate potential vulnerabilities and risks associated with radio systems. Radio managers shall determine security controls that are applicable to their radio systems based on the security level of information and protection needs defined in Section 3. After selecting the status of the security controls, radio managers can determine the overall risk level of their radio systems and actions to be taken to protect the systems (e.g., request of funds to implement additional security controls and secure the configuration of the system). 1.5 Terminology To ensure a common understanding of the terminology used to explain the security activities and security services, the following definitions are provided for terms used in this report. Access Control. A technique used to define or restrict the rights or capabilities of individuals or application programs to communicate with other individuals or application programs and/or to obtain data from, or place data onto, a storage device. Audit Trail. A chronological record of system activities that is sufficient to reconstruct and review the sequence of events surrounding or leading up to all transactions and actions performed on or by the system. LMR Security Planning Template 3
8 Authentication. The process of verifying the identity of a user, terminal, or application program to prevent fraud, abuse, and misuse of services. Availability. The accessibility and usability of service upon demand by an authorized entity. Confidentiality. The protection that ensures that information is not made available or disclosed to unauthorized individuals, entities, or processes. Configuration Management. The process of controlling modifications to systems, applications, or to system documentation. Configuration management protects the system or applications against unintended and unauthorized modifications. Contingency Plan. A plan of action to restore the system s critical functions in case normal processing is unavailable for reasons such as natural disasters, equipment failure, or malicious destructive actions. Encryption. The process of transforming plain text into unintelligible form by means of a cryptographic system. Identification. A code, user name, cards, or token that identifies an individual. Integrity. The protection that ensures that data has not been altered (modified, inserted, or deleted), repeated, or destroyed in an unauthorized manner, either accidentally or maliciously. Jamming. The intentional transmission of radio signals in order to interfere with the reception of signals from another transmitter. Key. When used in the context of encryption, a series of characters that are used by an encryption algorithm to transform plain text data into encrypted (cipher text) data, and vice versa. Key Management. The process, policies, procedures, and administration encompassing every stage in the life cycle of a cryptographic key, including generation, distribution, entry, use, storage, destruction, and archiving. Land Mobile Radio. A mobile communications service between land mobile stations or between land mobile stations and base stations. Mobile Data Terminal. Radio unit installed in a vehicle that provides access to remote database files and communications with the dispatch office. Over-the-Air-Rekeying (OTAR). Distribution of cryptographic keys over the air. A central facility, called a Key Management Facility (KMF), stores all keys used in a system. The KMF distributes the keys by first encrypting the key and then transmitting it over the air to subscriber units in the system. Subscribers decrypt the keys and store them for use among themselves. LMR Security Planning Template 4
9 Password. A protected word, phrase, or a string of characters that is used to authenticate the identity of a user. Risk. The possibility of harm or loss to any software, information, hardware, administrative, physical, communications, or personnel resource within an automated information system or activity. Risk Assessment. The process of assessing the risk to automated information resources and information, as part of a risk-based approach used to determine adequate security for a system by analyzing the threats and vulnerabilities and selecting appropriate cost-effective controls to achieve and maintain an acceptable level of risk. Security Plan. A document that outlines a site s plan for securing its system. Sensitive Information. Information that requires protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. Threat. An activity, deliberate or unintentional, with the potential for causing harm to an automated information system or activity. Vulnerability. A flaw or weakness in a system that may provide an avenue for an intruder, malicious or otherwise, to compromise the security, integrity, or availability of an information system. Virus. A self-executing program that is hidden from view and that secretly copies itself in such a way as to infect parts of the operating system and/or application programs. LMR Security Planning Template 5
10 2. SYSTEM IDENTIFICATION Before the plan can be developed, a determination must be made as to which type of plan is required for the system. This section provides basic identifying information about the system: who is responsible for the system, the system functions, and its connectivity. 2.1 System Name and Acronym: 2.2 Responsible Organization: List organization responsible for the overall operation of the system. 2.3 Designated Point of Contact: List individuals to contact for information concerning this security plan and system, security training, security testing, etc. Name: Title: Voice Phone No.: Fax Phone No.: Address: 2.4 System Operator: Agency employees Contractors Specify: Specify: 2.5 System Status: Operational Date: Under Development (Operational Date): Under Major Modifications (Operational Date): 2.6 System Description: Briefly describe the site, including location, system configuration, and system component functions. System location: Manufacturer: Coverage (e.g., county, state): Type of users (e.g., police, fire, emergency medical service): Number of channels and frequencies: Number of dispatch centers: LMR Security Planning Template 6
11 a. System Type Analog conventional Multicast Simulcast Analog trunked Trunked zone Digital conventional Digital trunked Other (specify): b. System Application Voice Only Data Only Integrated Voice/Data c. System Components Network management system Wireless data system Local area network Gateway/router Modems Controller site Portable/mobile radios Mobile data terminals Mobile computer terminals Dispatch consoles Remote tower sites Backup sites d. System Components Connectivity Wireline Radio frequency link Fiber Analog microwave Digital microwave e. Data Connectivity Dedicated Integrated Services Digital Network (ISDN) Public Switched Telecommunications Network (PSTN) f. Remote Tower Sites Site owned Site leased Collocated with other organization LMR Security Planning Template 7
12 g. Maintenance Facility Owned Leased 2.7 System Interconnection/Information Sharing: Provide the following information concerning authorization for connecting to other systems or sharing information. List of interconnected systems (including Internet): Name of systems: Organization owning the other system(s): Type of interconnection (e.g., Transmission Control Protocol/Internet Protocol [TCP/IP], Dial, Standard Network Architecture [SNA]): Name and title of authorizing management official(s): Date of authorization: Sensitivity level of each system: Security concerns of the other systems that need to be considered in the protection of this system: 2.8 System Environment: Briefly describe the environment, including any environmental factors that cause special security concerns (e.g., in earthquake zone, high risk of flood or tornado, poor public utilities). LMR Security Planning Template 8
13 3. SENSITIVITY OF INFORMATION This section describes the types of information handled by the radio system and thus provides the basis for defining the system s security requirements. The sensitivity and criticality of the information stored within, processed by, or transmitted by the radio system provides a basis for the value of the system and is one of the major factors in risk management. The description will provide information to a variety of users, including: Developers who will use it to help design appropriate security controls Internal and external auditors evaluating system security measures Managers making decisions about the reasonableness of security countermeasures. The nature of the information sensitivity and criticality must be described in this section. The description must cover applicable regulations, directives, and policies affecting the system and a general description of sensitivity as discussed in the following subsections. 3.1 Applicable Laws or Regulations Affecting the System: List laws and regulations that establish specific requirements for confidentiality, integrity, and availability of the system. Federal Directives and Regulations Presidential Decision Directive 63 ( OMB A-130, Security of Federal Automated Information Resources ( Executive Order 13010, Critical Infrastructure Protection ( Computer Security Act of 1987 ( Federal Information Processing Standards Publications FIPS PUB 140-1, Security Requirements for Cryptographic Modules ( FIPS PUB 46-2, Data Encryption Standard ( State Regulations State Security Policy and Procedures Local Regulations Local Security Policy and Procedures LMR Security Planning Template 9
14 LMR Security Planning Template 10
15 General Guidance Telecommunications Industry Association/Electronics Industry Association, Interim Standards (TIA/EIA IS), 102.AAAA-A, Data Encryption Standard (DES) Encryption Protocol TIA/EIA TSB 102.AAAB, Project 25, Security Services Overview, New Technology Standards Project, Digital Radio Technical Standards TIA/EIA TSB 102.AACA Project 25, Over-The-Air-Rekeying (OTAR) Protocol, New Technologies Standards Project, Digital Radio Technical Standards 3.2 Information Sensitivity: Type of sensitive information handled by this system. (Check ALL that apply) Law enforcement Privacy Act information Medical history information Criminal records Other (specify): 3.3 General Description of Sensitivity The purpose of this section is to review the system requirements against the need for availability, integrity, and confidentiality. It is important that the degree of sensitivity of information be assessed by considering the requirements for availability, integrity, and confidentiality of the information. This process shall occur at the beginning of the radio system s life cycle and be reexamined during each life cycle stage. Through this analysis, the value of the system can be determined. This value is one of the first major factors to be determined in risk management. The security planning process is designed to reduce the risk and magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of information stored and processed on the radio system. A risk assessment is a part of an approach to determine adequate, cost-effective security for a system. The risk level of the system is determined based on two factors: 1) the likelihood that vulnerabilities will be exploited, and 2) the impact that the successful exploitation of the vulnerabilities will have on the agency's operation. LMR Security Planning Template 11
16 A system may need protection for one or more of the following reasons. A. Confidentiality: The system contains information that requires protection from unauthorized disclosure. Example of Information Requiring Protection Confidentiality Law enforcement information (e.g., criminal records, drug raids), personal information (covered by Privacy Act), medical history information A. Integrity: The system contains information that must be protected from unauthorized, unanticipated, or unintentional modification, including detection of such activities (e.g., systems critical to safety or life support). Example of Information Requiring Protection Integrity Location of incidents, medical history information C. Availability: The system contains information or provides services that must be available on a timely basis to meet mission requirements or to avoid substantial losses. Example of Information Requiring Protection Availability Systems critical to safety, life support, hurricane forecasting 3.4 Protection Needs Describe, in general terms, the information handled by the system and the need for protective measures. Relate the information to each of the three categories (confidentiality, integrity, and availability) shown in the following table and indicate whether the protection requirement is High a critical concern of the system Medium an important concern, but not necessarily paramount in the organization s priorities Low some minimal level of security is required, but not to the same degree as the preceding categories Protection Requirements for System Information Information Categories High Medium Low Confidentiality Integrity Availability LMR Security Planning Template 12
17 Examples of the general statement are provided below. Examples of a General Protection Requirement Statement A high degree of security for the system is considered mandatory to protect the confidentiality, integrity, and availability of information. The protection requirements for all system resources are critical concerns for the system. OR Confidentiality is not a concern for this system as it contains information intended for immediate release to the general public concerning fires or hurricanes. The integrity of the information, however, is extremely important to ensure that the most accurate information is provided to the public to allow them to make decisions about the safety of their families and property. The most critical concern is to ensure that the system is available at all times to support life-threatening events. The following tables provide examples to help radio managers determine the level of protection requirements for their radio systems. Example Confidentiality Considerations Evaluation High Comment The system transmits public safety information, which if disclosed to unauthorized sources, could result in failure of mission or operations. Medium Low Security requirements for assuring confidentiality are of moderate importance. Having access to the information does not reveal information involving integrity of operations or mission. The mission of this system is to provide general information to citizens which is made available to the news media forecasters and the general public at all times. None of the information requires protection against disclosure. Example Integrity Considerations Evaluation High Medium Low Comment The system provides communications capabilities among various public safety agencies. Unauthorized or unintentional modification of this information could cause chaos between the agencies, resulting in failure of life support or people safety. Assurance of the integrity of the information is required to the extent that destruction of the information would require significant effort to replace. Although corrupted information would present an inconvenience to the agency personnel, most information is backed up regularly. The system mainly contains messages and reports. Intentional or unintentional modification of the information would not be a major concern for the organization. LMR Security Planning Template 13
18 LMR Security Planning Template 14
19 Example Availability Considerations Evaluation High Medium Low Comment The system contains talk group template programs. Unavailability of the system could result in failure of the organization to meet critical mission requirements (e.g., people safety, life support). The system requires 24-hour access. Unavailability of the system could have a limited impact on the organizations mission. Information backups maintained at off-site storage would be sufficient to carry on with the organization s mission to a limited extent. The system serves primarily as a server for . Should the system become unavailable, the organization s mission will not be limited. LMR Security Planning Template 15
20 4. SYSTEM SECURITY CONTROL MEASURES This section documents the status of security activities and control measures (in-place or planned) that are intended to meet the protection requirements of the system that have been determined in Section Status of Security Activities: Please provide dates for the security activities below: Date of Last Date Planned Design Review Risk Assessment Security Reviews Security Test and Evaluation Other (Specify): If there is no risk assessment for the radio system, include a milestone date (month and year) for completion of the risk assessment. If the risk assessment is more than 3 years old, or there have been major changes to the system or functions, include a milestone date (month and year) for completion of a new or updated risk assessment. Assessing the risk to a system shall be an ongoing activity to ensure that new threats and vulnerabilities are identified and appropriate security measures are implemented. 4.2 Weaknesses: Were any security or control weaknesses identified during the last security review of this system? If yes, describe the weaknesses. 4.3 Security Control Measures: For each security measure listed, select the appropriate security control measure status in terms of: In place Control measures of the type listed are in place and operational, and judged to be effective. Describe in general terms. Planned Specific control measures (e.g., new, enhanced) are planned for the radio system. A general description of the planned measures resources involved and expected operational dates shall be provided. Action Required Some measures are not planned or implemented, but specific actions are required to protect the system. A general description of the actions, including the resources involved and expected operational dates, shall be provided. LMR Security Planning Template 16
21 Not Applicable (N/A) This type of control measure is not needed, cost-effective, or appropriate for the radio system. LMR Security Planning Template 17
22 A. Management/Administrative Controls: Overall management controls of the radio system. Management controls focus on managing the radio system and its risks. The types of control measures shall be consistent with the need for protection of the radio system. Select appropriate security control measures status and describe the measures in general terms. 1. Assignment of Security Responsibility 1) Security Manager In Place Planned Action Required N/A 2) Security Officer (for day-to day operations) In Place Planned Action Required N/A 2. Risk Assessment and Management 1) Design stage risk assessment In Place Planned Action Required N/A 2) Operational risk assessment In Place Planned Action Required N/A 3) Periodic risk assessments In Place Planned Action Required N/A 4) Periodic security reviews In Place Planned Action Required N/A 5) Security testing In Place Planned Action Required N/A 3. Security Documentation 1) Security specifications In Place Planned Action Required N/A 2) Security Design Documentation In Place Planned Action Required N/A 3) Configuration Management Plan In Place Planned Action Required N/A 4) System Security Plan In Place Planned Action Required N/A 5) Risk Assessment Report In Place Planned Action Required N/A 6) Security Test and Evaluation Report In Place Planned Action Required N/A 7) Memoranda of understanding with interfacing systems In Place Planned Action Required N/A 4. Security Awareness and Training 1) Security training materials In Place Planned Action Required N/A 2) Emergency operations procedures In Place Planned Action Required N/A 3) Initial security briefing In Place Planned Action Required N/A 4) Refresher training In Place Planned Action Required N/A 5) Exit briefing In Place Planned Action Required N/A 5. Personnel Screening 1) Employee screening before hiring In Place Planned Action Required N/A 2) Contractor screening In Place Planned Action Required N/A 3) Background investigation based on job level In Place Planned Action Required N/A 4) Maintenance personnel screening In Place Planned Action Required N/A 5) Cleaning personnel screening In Place Planned Action Required N/A 6. Continuity of Support 1) Continuity of Operations Plan (COOP) In Place Planned Action Required N/A 2) Disaster and Contingency Plans In Place Planned Action Required N/A LMR Security Planning Template 18
23 3) Backup sites In Place Planned Action Required N/A 4) Alternate sites In Place Planned Action Required N/A 5) Alternate power sources In Place Planned Action Required N/A 6) Alternate path of communications In Place Planned Action Required N/A 7) Regular backup In Place Planned Action Required N/A 8) Off-site storage facility In Place Planned Action Required N/A 9) Emergency operations plans In Place Planned Action Required N/A 10) Regular contingency planning test In Place Planned Action Required N/A 7. Management of Contractors 1) Contractors screening In Place Planned Action Required N/A 2) Periodic contractors validation reviews In Place Planned Action Required N/A 3) Contractors' system account management In Place Planned Action Required N/A 4) Security training for contractors In Place Planned Action Required N/A B. Computer/Network Management Controls: Hardware, software, and network controls used to provide automated protection. The types of control measures shall be consistent with the need for protection of the radio system. Select appropriate security control measures status and describe the measures in general terms. 1. User Identification and Authentication 1) Unique user identification (ID) In Place Planned Action Required N/A 2) User authentication a. Passwords In Place Planned Action Required N/A b. Biometrics In Place Planned Action Required N/A c. Smart cards In Place Planned Action Required N/A d. Token controls In Place Planned Action Required N/A 3) User account management In Place Planned Action Required N/A 4) Disabling inactive user accounts In Place Planned Action Required N/A 2. Access Controls 1) User profiles In Place Planned Action Required N/A 2) Separation of duties In Place Planned Action Required N/A 3) Privilege assignments In Place Planned Action Required N/A 4) User account lockout In Place Planned Action Required N/A 5) Screen saver In Place Planned Action Required N/A 3. Audit Trails 1) Audit report generation In Place Planned Action Required N/A 2) Regular audit report reviews In Place Planned Action Required N/A 4. Virus Protection 1) Installation of anti-virus software In Place Planned Action Required N/A 2) Diskette scanning policy In Place Planned Action Required N/A 3) Regular update of virus software In Place Planned Action Required N/A LMR Security Planning Template 19
24 5. Dial-in Access 1) User ID In Place Planned Action Required N/A 2) Passwords In Place Planned Action Required N/A 3) Dial-back mechanism In Place Planned Action Required N/A 4) Strong authentication In Place Planned Action Required N/A 5) User account management In Place Planned Action Required N/A C. Physical Controls: Controls used to protect the facility, computer center, dispatch center, radio sites, and backup sites. The types of control measures shall be consistent with the need for protection of the radio system. Select appropriate security control measures status and describe the measures in general terms. 1. Facility Protection 1) Fenced perimeters In Place Planned Action Required N/A 2) Safeguards In Place Planned Action Required N/A 3) Visitor s log In Place Planned Action Required N/A 4) Visitor escort In Place Planned Action Required N/A 5) Electronic access devices In Place Planned Action Required N/A 6) Controlled circuit TV In Place Planned Action Required N/A 7) Alarmed doors In Place Planned Action Required N/A 2. Computer Room(s) 1) Visitor s log In Place Planned Action Required N/A 2) Visitor escort In Place Planned Action Required N/A 3) Keys In Place Planned Action Required N/A 4) Cipher lock In Place Planned Action Required N/A 5) Electronic access devices In Place Planned Action Required N/A 6) Alarmed doors In Place Planned Action Required N/A 3. Dispatch Center(s) 1) Fenced perimeters In Place Planned Action Required N/A 2) Safeguards In Place Planned Action Required N/A 3) Visitor s log In Place Planned Action Required N/A 4) Visitor escort In Place Planned Action Required N/A 5) Keys In Place Planned Action Required N/A 6) Cipher lock In Place Planned Action Required N/A 7) Electronic access devices In Place Planned Action Required N/A 8) Controlled circuit TV In Place Planned Action Required N/A 9) Alarmed doors In Place Planned Action Required N/A 4. Remote Tower Sites 1) Fenced perimeters In Place Planned Action Required N/A 2) Barbed wire In Place Planned Action Required N/A 3) Visitor s log In Place Planned Action Required N/A 4) Visitor escort In Place Planned Action Required N/A 5) Keys In Place Planned Action Required N/A LMR Security Planning Template 20
25 6) Cipher lock In Place Planned Action Required N/A 7) Electronic access devices In Place Planned Action Required N/A 8) Controlled circuit TV In Place Planned Action Required N/A 9) Alarmed doors In Place Planned Action Required N/A LMR Security Planning Template 21
26 5. Telecommunications Closet 1) Keys In Place Planned Action Required N/A 2) Cipher lock In Place Planned Action Required N/A 6. Environmental Protection 1) Fire extinguishers In Place Planned Action Required N/A 2) Fire suppression systems In Place Planned Action Required N/A 3) Smoke detector In Place Planned Action Required N/A 4) Water sprinkler In Place Planned Action Required N/A 5) Fire alarm system In Place Planned Action Required N/A 6) Lightning protection In Place Planned Action Required N/A 7) Uninterruptible power supply (UPS) In Place Planned Action Required N/A 8) Battery In Place Planned Action Required N/A 9) Generator In Place Planned Action Required N/A 10) Independent air conditioning unit In Place Planned Action Required N/A 11) Raised floor In Place Planned Action Required N/A 12) Emergency lighting In Place Planned Action Required N/A 13) Surge protector In Place Planned Action Required N/A D. Communications Controls: Controls used to protect information transmitted among radio system components. The types of control measures shall be consistent with the need for protection of the radio system. Select appropriate security control measures status and describe the measures in general terms. 1. Transmission Security 1) Intentional radio channel interference a. Radio channel interference detection In Place Planned Action Required N/A b. Automatic interference clearance In Place Planned Action Required N/A 2) Unintentional radio channel interference a. Radio channel interference detection In Place Planned Action Required N/A b. Automatic interference clearance In Place Planned Action Required N/A 2. Encryption 1) Voice encryption In Place Planned Action Required N/A 2) Data encryption In Place Planned Action Required N/A If encryption is used, explain the type of encryption level and algorithm. 3. Key Management for Encryption 1) Written procedures In Place Planned Action Required N/A 2) Over-the-air-rekeying In Place Planned Action Required N/A 3) Regular key change In Place Planned Action Required N/A LMR Security Planning Template 22
27 4) Rekey lockout In Place Planned Action Required N/A 5) Key lost key rekey In Place Planned Action Required N/A 4. Trunked Key Management 1) Written procedures In Place Planned Action Required N/A 2) Access controls for key holders In Place Planned Action Required N/A 3) Regular key reviews In Place Planned Action Required N/A 5. Firewall/Router 1) User ID In Place Planned Action Required N/A 2) Passwords In Place Planned Action Required N/A 3) Restricted access controls In Place Planned Action Required N/A 4) Audit report generation and regular review In Place Planned Action Required N/A 5) Regular backup In Place Planned Action Required N/A 6) Limited IP Addresses In Place Planned Action Required N/A 7) Packet filtering In Place Planned Action Required N/A 8) Limited network trusted relationships In Place Planned Action Required N/A 9) Network address translation In Place Planned Action Required N/A E. Radio Controls: Controls used to protect communications using radios. The types of control measures shall be consistent with the need for protection of the radio system. Select appropriate security control measures status and describe the measures in general terms. 1. Radio Authentication 1) Radio user authentication In Place Planned Action Required N/A 2) Radio unit authentication In Place Planned Action Required N/A 3) Radio user account management In Place Planned Action Required N/A 2. Talk Group Assignment In Place Planned Action Required N/A 1) Restricted access to template files In Place Planned Action Required N/A 2) Template control reviews In Place Planned Action Required N/A 3. Lost and Stolen Radio Controls 1) Notification procedures In Place Planned Action Required N/A 2) Over-the-air radio inhibit In Place Planned Action Required N/A 3) Loaned radio controls In Place Planned Action Required N/A 4. Radio Maintenance 1) Inventory controls In Place Planned Action Required N/A 2) Secure disposal In Place Planned Action Required N/A 3) Secure destruction In Place Planned Action Required N/A 4) Contractor controls In Place Planned Action Required N/A LMR Security Planning Template 23
28 F. MDTs/MCTs Controls: Controls used to protect communications using MDTs/MCTs. The types of control measures shall be consistent with the need for protection of the radio system. Select appropriate security control measures status and describe the measures in general terms. 1. User Identification and Authentication 1) User ID In Place Planned Action Required N/A 2) Password In Place Planned Action Required N/A 3) Personal identification number In Place Planned Action Required N/A 4) License tag number In Place Planned Action Required N/A 5) Radio serial number In Place Planned Action Required N/A 6) User account management In Place Planned Action Required N/A 2. Access Controls 1) User account lockout In Place Planned Action Required N/A 2) Automatic timeout feature In Place Planned Action Required N/A 3. Audit Trails 1) Audit report generation In Place Planned Action Required N/A 2) Audit report reviews In Place Planned Action Required N/A 4. MDTs/MCTs Maintenance 1) Inventory controls In Place Planned Action Required N/A 2) Secure disposal In Place Planned Action Required N/A 3) Secure destruction In Place Planned Action Required N/A 4) Secure data removal from unused MDTs/MCTs In Place Planned Action Required N/A LMR Security Planning Template 24
29 5. ADDITIONAL NEEDS AND COMMENTS This section is intended to provide an opportunity to include additional comments about the security of the subject system and any perceived need for guidance or standards. LMR Security Planning Template 25
30 6. REVIEW AND APPROVAL SIGNATURES Plan Development: Plan Developed by: Responsible Individual: Phone Number: Plan Completion Date: Plan Review: Review Staff: Telephone Number: APPROVED DISAPPROVED Date: LMR Security Planning Template 26
31 APPENDIX A REFERENCES National Institute of Standards and Technology. Guide for Developing Security Plans for Information Technology Systems. Special Publication December Office of Management and Budget. Guidance for Preparation of Security Plans for Federal Computer Systems that Contain Sensitive Information. Bulletin No July 9, Office of Management and Budget, Circular A-130. Management of Federal Information Resources. Appendix III, Security of Federal Automated Information Resources Public Law , Computer Security Act of LMR Security Planning Template A-1
32 APPENDIX B LIST OF ACRONYMS COOP DES FIPS PUB ID IS ISDN IT KMF LMR MDT/MCT N/A OMB OTAR PCCIP PDD PMO PSTN PSWN SNA TCP/IP TD P TIA/EIA TSB UPS Continuity of Operations Plan Data Encryption Standard Federal Information Processing Standards Publication Identification Interim Standards Integrated Services Digital Network Information Technology Key Management Facility Land Mobile Radio Mobile Data Terminal/Mobile Computer Terminal Not Applicable Office of Management and Budget Over-the-Air Rekeying President's Commission on Critical Infrastructure Protection Presidential Decision Directive Program Management Office Public Switched Telecommunications Network Public Safety Wireless Network Standard Network Architecture Transmission Control Protocol/ Internet Protocol Treasury Directive Publication Telecommunications Industry Association/Electronics Industry Association Telecommunications Systems Bulletins Uninterruptible Power Supply LMR Security Planning Template B-1
HIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationRisk Assessment Guide
KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered. KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationInformation Technology General Controls Review (ITGC) Audit Program Prepared by:
Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the
More informationMCR Checklist for Automated Information Systems (Major Applications and General Support Systems)
MCR Checklist for Automated Information Systems (Major Applications and General Support Systems) Name of GSS or MA being reviewed: Region/Office of GSS or MA being reviewed: System Owner: System Manager:
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationAudit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture
U.S. Department of Agriculture Office of Inspector General Southeast Region Audit Report Management and Security of Office of Budget and Program Analysis Information Technology Resources Report No. 39099-1-AT
More informationIT - General Controls Questionnaire
IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow
More informationADM:49 DPS POLICY MANUAL Page 1 of 5
DEPARTMENT OF PUBLIC SAFETY POLICIES & PROCEDURES SUBJECT: IT OPERATIONS MANAGEMENT POLICY NUMBER EFFECTIVE DATE: 09/09/2008 ADM: 49 REVISION NO: ORIGINAL ORIGINAL ISSUED ON: 09/09/2008 1.0 PURPOSE The
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationInformation Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1
APPENDIX A Appendix A Learning Continuum A-1 Appendix A Learning Continuum A-2 APPENDIX A LEARNING CONTINUUM E D U C A T I O N Information Technology Security Specialists and Professionals Education and
More informationRajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
More informationInformation Technology Security Procedures
Information Technology Security Procedures Prepared By: Paul Athaide Date Prepared: Dec 1, 2010 Revised By: Paul Athaide Date Revised: September 20, 2012 Version 1.2 Contents 1. Policy Procedures... 3
More informationULH-IM&T-ISP06. Information Governance Board
Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationSAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
More informationExcerpt of Cyber Security Policy/Standard S05-001. Information Security Standards
Excerpt of Cyber Security Policy/Standard S05-001 Information Security Standards Issue Date: April 4, 2005 Publication Date: April 4, 2005 Revision Date: March 30, 2007 William F. Pelgrin Director New
More informationSCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards
SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationINFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL
INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL 1 INTRODUCTION The County of Imperial Information & Technical Services (ITS) Security Policy is the foundation of the County's electronic information
More informationNetwork Security Policy
IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service
More informationMCOLES Information and Tracking Network. Security Policy. Version 2.0
MCOLES Information and Tracking Network Security Policy Version 2.0 Adopted: September 11, 2003 Effective: September 11, 2003 Amended: September 12, 2007 1.0 POLICY STATEMENT The Michigan Commission on
More informationVIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY
ASSESSABLE UNIT: ENTER THE NAME OF YOUR ASSESSABLE UNIT HERE BUSINESS PROCESS: ENTER YOUR BUSINESS PROCESS HERE BANNER INDEX CODE: ENTER YOUR BANNER INDEX CODE HERE Risk: If you monitor the activity and
More informationOhio Supercomputer Center
Ohio Supercomputer Center Portable Security Computing No: Effective: OSC-09 05/27/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication
More informationTEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
More informationSecurity Control Standard
Department of the Interior Security Control Standard Physical and Environmental Protection April 2011 Version: 1.1 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior,
More informationHIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationNetwork Security Policy
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
More informationState HIPAA Security Policy State of Connecticut
Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationHIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations
HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards
More informationSample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat
Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat Centers for Disease and Prevention National Center for Chronic Disease Prevention and Health
More informationCTR System Report - 2008 FISMA
CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationGAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior
GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States
More informationU.S. Department of the Interior's Federal Information Systems Security Awareness Online Course
U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior
More informationHealth Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationDepartment of Health and Human Services OFFICE OF INSPECTOR GENERAL
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION SYSTEM GENERAL CONTROLS AT THREE CALIFORNIA MANAGED-CARE
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationBest Practices For Department Server and Enterprise System Checklist
Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)
More informationREMOTE ACCESS POLICY OCIO-6005-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER REMOTE ACCESS POLICY OCIO-6005-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section I. PURPOSE II. AUTHORITY III.
More informationPUBLIC SAFETY. Communications Security. Awareness Guide
For years, public safety agencies have worked to ensure the basic security and integrity of their communications networks. Historically the focus has been on physical security at communications facilities
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationHow To Write A Health Care Security Rule For A University
INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationVA Office of Inspector General
VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND
More informationMusic Recording Studio Security Program Security Assessment Version 1.1
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
More informationHow To Protect Information At De Montfort University
Network Security Policy De Montfort University January 2006 Page 1 of 18 Contents 1 INTRODUCTION 1.1 Background... 1.2 Purpose and Scope... 1.3 Validity... 1.4 Assumptions... 1.5 Definitions... 1.6 References..
More informationInformation Technology Security Standards. Effective Date: November 20, 2000 OFM Guidelines for Economic Feasibility Revision Date: January 10, 2008
Information Technology Security Standards Adopted by the Information Services Board (ISB) on November 20, 2000 Policy No: Also see: 400-P2, 402-G1 Supersedes No: 401-S2 Auditor's Audit Standards Effective
More informationHow To Protect The Time System From Being Hacked
WISCONSIN TIME SYSTEM Training Materials TIME SYSTEM SECURITY AWARENESS HANDOUT Revised 11/21/13 2014 Security Awareness Handout All System Security The TIME/NCIC Systems are criminal justice computer
More informationSummary of CIP Version 5 Standards
Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have
More informationHANDBOOK 8 NETWORK SECURITY Version 1.0
Australian Communications-Electronic Security Instruction 33 (ACSI 33) Point of Contact: Customer Services Team Phone: 02 6265 0197 Email: assist@dsd.gov.au HANDBOOK 8 NETWORK SECURITY Version 1.0 Objectives
More informationInformation Security for Managers
Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize
More informationWhite Paper. Information Security -- Network Assessment
Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationUF IT Risk Assessment Standard
UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved
More informationProcedure Title: TennDent HIPAA Security Awareness and Training
Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary
More informationApplication Development within University. Security Checklist
Application Development within University Security Checklist April 2011 The Application Development using data from the University Enterprise Systems or application Development for departmental use security
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date
More informationRotherham CCG Network Security Policy V2.0
Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October
More informationAppendix A: Rules of Behavior for VA Employees
Appendix A: Rules of Behavior for VA Employees Department of Veterans Affairs (VA) National Rules of Behavior 1 Background a) Section 5723(b)(12) of title 38, United States Code, requires the Assistant
More informationICANWK406A Install, configure and test network security
ICANWK406A Install, configure and test network security Release: 1 ICANWK406A Install, configure and test network security Modification History Release Release 1 Comments This Unit first released with
More informationTechnical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and
Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationUTMB INFORMATION RESOURCES PRACTICE STANDARD
IR Security Glossary Introduction Purpose Applicability Sensitive Digital Data Management Privacy Implications This abbreviated list provides explanations for typically used Information Resources (IR)
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationBALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN
BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN FEBRUARY 2011 TABLE OF CONTENTS PURPOSE... 4 SCOPE... 4 INTRODUCTION... 4 SECTION 1: IT Security Policy... 5 SECTION 2: Risk Management
More informationVersion 1.0. Ratified By
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience
More informationApproved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2
Texas Wesleyan Firewall Policy Purpose... 1 Scope... 1 Specific Requirements... 1 PURPOSE Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls
More informationFISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS
TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2
More informationSWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationPBGC Information Security Policy
PBGC Information Security Policy 1. Purpose. The Pension Benefit Guaranty Corporation (PBGC) Information Security Policy (ISP) defines the security and protection of PBGC information resources. 2. Reference.
More informationHIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Improved Security Required for DHS Networks (Redacted) Notice: The Department of Homeland Security, Office of Inspector General, has redacted
More informationSAMPLE TEMPLATE. Massachusetts Written Information Security Plan
SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law
More informationPDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]
PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name] [Date] [Location] 1 Prepared by: [Author] [Title] Date Approved by: [Name] [Title] Date 2
More informationORDER 1370.108. National Policy. Effective Date 09/21/09. Voice Over Internet Protocol (VoIP) Security Policy SUBJ:
National Policy ORDER 1370.108 Effective Date 09/21/09 SUBJ: Voice Over Internet Protocol (VoIP) Security Policy 1. Purpose of This Order. This Order establishes the Federal Aviation Administration s (FAA)
More informationHIPAA Privacy & Security White Paper
HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements
More informationOPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,
More informationWIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION
United States Department of Agriculture Marketing and Regulatory Programs Grain Inspection, Packers and Stockyards Administration Directive GIPSA 3140.5 11/30/06 WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION
More informationSecurity Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1
JUNE 1, 2012 SalesNOW Security Policy v.1.4 2012-06-01 v.1.4 2012-06-01 1 Overview Interchange Solutions Inc. (Interchange) is the proud maker of SalesNOW. Interchange understands that your trust in us
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More information